EU toughens cyber-security rules across the continent

The European Union (EU) is doubling down in its fight against cyber crime. On Friday (May 13), EU countries and lawmakers agreed to impose tougher cyber-security rules for large energy, transport and financial firms, as well as digital providers and medical device makers, amid concerns about cyber attacks by state actors and other malicious players.

The decision was taken as a response to the rise in online threats brought about by the Russian invasion of Ukraine.

The new policy builds on existing rules proposed by the European Commission in 2020, known as the NIS 2 Directive, which, in turn, expands on the scope of the current NIS Directive.

The new rules cover all medium and large companies in essential sectors: energy; transport; banking; financial market infrastructure; health; vaccines and medical devices; drinking water; digital infrastructure; public administration, and space.

All medium and large firms in postal and courier services; waste management; chemicals; food manufacturing; medical devices; computers and electronics; machinery equipment; motor vehicles; digital providers such as online marketplaces, online search engines, and social networking service platforms will also fall under the rules.

The companies are required to assess their cyber-security risk, notify authorities and take technical and organisational measures to counter the risks, facing fines of up to 2 per cent of global turnover should they fail to do so. The regulation will also allow EU countries and EU cyber-security agency ENISA to assess the risks of critical supply chains.

“Cyber threats have become bolder and more complex," said EU industry chief Thierry Breton. "It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected." 

The new online regime also builds on the EU’s plans for more effectively tackling child sexual abuse online, a criminal activity that has significantly increased during Covid-19 lockdowns.

To address this problem, the European Commission has announced a new law to ensure technology companies such as Meta, Google and Apple expedite both the removal of child sexual abuse images and the prevention of grooming. Companies that fail to do so could face fines of as much as 6 per cent of annual income.

The measure needs the approval of both the European Parliament and EU leaders, a process that can take two years. In the meantime, Big Tech companies have said they want to protect law-abiding users, calling for alternative solutions to tackle this pressing issue.

“A fine balance between safety online and privacy will need to be found," said Siada El Ramly, director general of DOT Europe, a lobby group that protects the interests of tech giants.